Documentation
¶
Overview ¶
Package sts provides access to the Security Token Service API.
For product documentation, see: http://cloud.google.com/iam/docs/workload-identity-federation
Creating a client ¶
Usage example:
import "google.golang.org/api/sts/v1beta" ... ctx := context.Background() stsService, err := sts.NewService(ctx)
In this example, Google Application Default Credentials are used for authentication.
For information on how to create and obtain Application Default Credentials, see https://developers.google.com/identity/protocols/application-default-credentials.
Other authentication options ¶
To use an API key for authentication (note: some APIs do not support API keys), use option.WithAPIKey:
stsService, err := sts.NewService(ctx, option.WithAPIKey("AIza..."))
To use an OAuth token (e.g., a user token obtained via a three-legged OAuth flow), use option.WithTokenSource:
config := &oauth2.Config{...}
// ...
token, err := config.Exchange(ctx, ...)
stsService, err := sts.NewService(ctx, option.WithTokenSource(config.TokenSource(ctx, token)))
See https://godoc.org/google.golang.org/api/option/ for details on options.
Index ¶
- type GoogleIdentityStsV1betaExchangeTokenRequest
- type GoogleIdentityStsV1betaExchangeTokenResponse
- type Service
- type V1betaService
- type V1betaTokenCall
- func (c *V1betaTokenCall) Context(ctx context.Context) *V1betaTokenCall
- func (c *V1betaTokenCall) Do(opts ...googleapi.CallOption) (*GoogleIdentityStsV1betaExchangeTokenResponse, error)
- func (c *V1betaTokenCall) Fields(s ...googleapi.Field) *V1betaTokenCall
- func (c *V1betaTokenCall) Header() http.Header
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type GoogleIdentityStsV1betaExchangeTokenRequest ¶
type GoogleIdentityStsV1betaExchangeTokenRequest struct {
// Audience: The full resource name of the identity provider. For
// example,
// `//iam.googleapis.com/projects//workloadIdentityPools//providers/`.
// Required when exchanging an external credential for a Google access
// token.
Audience string `json:"audience,omitempty"`
// GrantType: Required. The grant type. Must be
// `urn:ietf:params:oauth:grant-type:token-exchange`, which indicates a
// token exchange.
GrantType string `json:"grantType,omitempty"`
// Options: A set of features that Security Token Service supports, in
// addition to the standard OAuth 2.0 token exchange, formatted as a
// serialized JSON object of Options.
Options string `json:"options,omitempty"`
// RequestedTokenType: Required. The type of security token. Must be
// `urn:ietf:params:oauth:token-type:access_token`, which indicates an
// OAuth 2.0 access token.
RequestedTokenType string `json:"requestedTokenType,omitempty"`
// Scope: The OAuth 2.0 scopes to include on the resulting access token,
// formatted as a list of space-delimited, case-sensitive strings.
// Required when exchanging an external credential for a Google access
// token.
Scope string `json:"scope,omitempty"`
// SubjectToken: Required. The input token. This token is a either an
// external credential issued by a workload identity pool provider, or a
// short-lived access token issued by Google. If the token is an OIDC
// JWT, it must use the JWT format defined in [RFC
// 7523](https://tools.ietf.org/html/rfc7523), and the
// `subject_token_type` must be `urn:ietf:params:oauth:token-type:jwt`.
// The following headers are required: - `kid`: The identifier of the
// signing key securing the JWT. - `alg`: The cryptographic algorithm
// securing the JWT. Must be `RS256`. The following payload fields are
// required. For more information, see [RFC 7523, Section
// 3](https://tools.ietf.org/html/rfc7523#section-3): - `iss`: The
// issuer of the token. The issuer must provide a discovery document at
// the URL `/.well-known/openid-configuration`, where “ is the value of
// this field. The document must be formatted according to section 4.2
// of the [OIDC 1.0 Discovery
// specification](https://openid.net/specs/openid-connect-discovery-1_0.h
// tml#ProviderConfigurationResponse). - `iat`: The issue time, in
// seconds, since the Unix epoch. Must be in the past. - `exp`: The
// expiration time, in seconds, since the Unix epoch. Must be less than
// 48 hours after `iat`. Shorter expiration times are more secure. If
// possible, we recommend setting an expiration time less than 6 hours.
// - `sub`: The identity asserted in the JWT. - `aud`: Configured by the
// mapper policy. The default value is the service account's unique ID.
// Example header: “` { "alg": "RS256", "kid": "us-east-11" } “`
// Example payload: “` { "iss": "https://accounts.google.com", "iat":
// 1517963104, "exp": 1517966704, "aud": "113475438248934895348", "sub":
// "113475438248934895348", "my_claims": { "additional_claim": "value" }
// } “` If `subject_token` is an AWS token, it must be a serialized,
// [signed](https://docs.aws.amazon.com/general/latest/gr/signing_aws_api
// _requests.html) request to the AWS
// [`GetCallerIdentity()`](https://docs.aws.amazon.com/STS/latest/APIRefe
// rence/API_GetCallerIdentity) method. Format the request as
// URL-encoded JSON, and set the `subject_token_type` parameter to
// `urn:ietf:params:aws:token-type:aws4_request`. The following
// parameters are required: - `url`: The URL of the AWS STS endpoint for
// `GetCallerIdentity()`, such as
// `https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15
// `. Regional endpoints are also supported. - `method`: The HTTP
// request method: `POST`. - `headers`: The HTTP request headers, which
// must include: - `Authorization`: The request signature. -
// `x-amz-date`: The time you will send the request, formatted as an
// [ISO8601
// Basic](https://docs.aws.amazon.com/general/latest/gr/sigv4_elements.ht
// ml#sigv4_elements_date) string. This is typically set to the current
// time and used to prevent replay attacks. - `host`: The hostname of
// the `url` field; for example, `sts.amazonaws.com`. -
// `x-goog-cloud-target-resource`: The full, canonical resource name of
// the workload identity pool provider, with or without an `https:`
// prefix. To help ensure data integrity, we recommend including this
// header in the `SignedHeaders` field of the signed request. For
// example:
// //iam.googleapis.com/projects//locations//workloadIdentityPools//provi
// ders/
// https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/ If you are using temporary security credentials provided by AWS, you must also include the header `x-amz-security-token`, with the value “. The following example shows a signed, serialized request: “` { "headers":[ {"key": "x-amz-date", "value": "20200815T015049Z"}, {"key": "Authorization", "value": "AWS4-HMAC-SHA256+Credential=$credential,+SignedHeaders=host;x-amz-date;x-goog-cloud-target-resource,+Signature=$signature"}, {"key": "x-goog-cloud-target-resource", "value": "//iam.googleapis.com/projects//locations//workloadIdentityPools//providers/"}, {"key": "host", "value": "sts.amazonaws.com"} . ], "method":"POST", "url":"https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" } “` You can also use a Google-issued OAuth 2.0 access token with this field to obtain an access token with new security attributes applied, such as a Credential Access Boundary. In this case, set `subject_token_type` to `urn:ietf:params:oauth:token-type:access_token`. If an access token already contains security attributes, you cannot apply additional security
// attributes.
SubjectToken string `json:"subjectToken,omitempty"`
// SubjectTokenType: Required.
// `urn:ietf:params:oauth:token-type:access_token`.
SubjectTokenType string `json:"subjectTokenType,omitempty"`
// ForceSendFields is a list of field names (e.g. "Audience") to
// unconditionally include in API requests. By default, fields with
// empty values are omitted from API requests. However, any non-pointer,
// non-interface field appearing in ForceSendFields will be sent to the
// server regardless of whether the field is empty or not. This may be
// used to include empty fields in Patch requests.
ForceSendFields []string `json:"-"`
// NullFields is a list of field names (e.g. "Audience") to include in
// API requests with the JSON null value. By default, fields with empty
// values are omitted from API requests. However, any field with an
// empty value appearing in NullFields will be sent to the server as
// null. It is an error if a field in this list has a non-empty value.
// This may be used to include null fields in Patch requests.
NullFields []string `json:"-"`
}
GoogleIdentityStsV1betaExchangeTokenRequest: Request message for ExchangeToken.
func (*GoogleIdentityStsV1betaExchangeTokenRequest) MarshalJSON ¶
func (s *GoogleIdentityStsV1betaExchangeTokenRequest) MarshalJSON() ([]byte, error)
type GoogleIdentityStsV1betaExchangeTokenResponse ¶
type GoogleIdentityStsV1betaExchangeTokenResponse struct {
// AccessToken: An OAuth 2.0 security token, issued by Google, in
// response to the token exchange request. Tokens can vary in size,
// depending in part on the size of mapped claims, up to a maximum of
// 12288 bytes (12 KB). Google reserves the right to change the token
// size and the maximum length at any time.
AccessToken string `json:"access_token,omitempty"`
// ExpiresIn: The amount of time, in seconds, between the time when the
// `access_token` was issued and the time when the `access_token` will
// expire. This field is absent when the `subject_token` in the request
// is a Google-issued, short-lived access token. In this case, the
// `access_token` has the same expiration time as the `subject_token`.
ExpiresIn int64 `json:"expires_in,omitempty"`
// IssuedTokenType: The token type. Always matches the value of
// `requested_token_type` from the request.
IssuedTokenType string `json:"issued_token_type,omitempty"`
// TokenType: The type of `access_token`. Always has the value `Bearer`.
TokenType string `json:"token_type,omitempty"`
// ServerResponse contains the HTTP response code and headers from the
// server.
googleapi.ServerResponse `json:"-"`
// ForceSendFields is a list of field names (e.g. "AccessToken") to
// unconditionally include in API requests. By default, fields with
// empty values are omitted from API requests. However, any non-pointer,
// non-interface field appearing in ForceSendFields will be sent to the
// server regardless of whether the field is empty or not. This may be
// used to include empty fields in Patch requests.
ForceSendFields []string `json:"-"`
// NullFields is a list of field names (e.g. "AccessToken") to include
// in API requests with the JSON null value. By default, fields with
// empty values are omitted from API requests. However, any field with
// an empty value appearing in NullFields will be sent to the server as
// null. It is an error if a field in this list has a non-empty value.
// This may be used to include null fields in Patch requests.
NullFields []string `json:"-"`
}
GoogleIdentityStsV1betaExchangeTokenResponse: Response message for ExchangeToken.
func (*GoogleIdentityStsV1betaExchangeTokenResponse) MarshalJSON ¶
func (s *GoogleIdentityStsV1betaExchangeTokenResponse) MarshalJSON() ([]byte, error)
type Service ¶
type Service struct {
BasePath string // API endpoint base URL
UserAgent string // optional additional User-Agent fragment
V1beta *V1betaService
// contains filtered or unexported fields
}
func New
deprecated
New creates a new Service. It uses the provided http.Client for requests.
Deprecated: please use NewService instead. To provide a custom HTTP client, use option.WithHTTPClient. If you are using google.golang.org/api/googleapis/transport.APIKey, use option.WithAPIKey with NewService instead.
func NewService ¶
NewService creates a new Service.
type V1betaService ¶
type V1betaService struct {
// contains filtered or unexported fields
}
func NewV1betaService ¶
func NewV1betaService(s *Service) *V1betaService
func (*V1betaService) Token ¶
func (r *V1betaService) Token(googleidentitystsv1betaexchangetokenrequest *GoogleIdentityStsV1betaExchangeTokenRequest) *V1betaTokenCall
Token: Exchanges a credential for a Google OAuth 2.0 access token. The token asserts an external identity within a workload identity pool, or it applies a Credential Access Boundary to a Google access token.
type V1betaTokenCall ¶
type V1betaTokenCall struct {
// contains filtered or unexported fields
}
func (*V1betaTokenCall) Context ¶
func (c *V1betaTokenCall) Context(ctx context.Context) *V1betaTokenCall
Context sets the context to be used in this call's Do method. Any pending HTTP request will be aborted if the provided context is canceled.
func (*V1betaTokenCall) Do ¶
func (c *V1betaTokenCall) Do(opts ...googleapi.CallOption) (*GoogleIdentityStsV1betaExchangeTokenResponse, error)
Do executes the "sts.token" call. Exactly one of *GoogleIdentityStsV1betaExchangeTokenResponse or error will be non-nil. Any non-2xx status code is an error. Response headers are in either *GoogleIdentityStsV1betaExchangeTokenResponse.ServerResponse.Header or (if a response was returned at all) in error.(*googleapi.Error).Header. Use googleapi.IsNotModified to check whether the returned error was because http.StatusNotModified was returned.
func (*V1betaTokenCall) Fields ¶
func (c *V1betaTokenCall) Fields(s ...googleapi.Field) *V1betaTokenCall
Fields allows partial responses to be retrieved. See https://developers.google.com/gdata/docs/2.0/basics#PartialResponse for more information.
func (*V1betaTokenCall) Header ¶
func (c *V1betaTokenCall) Header() http.Header
Header returns an http.Header that can be modified by the caller to add HTTP headers to the request.
Source Files
Click to show internal directories.
Click to hide internal directories.